Firebase Validation/Audit Status

[Marty Nelson]

According to this article: http://www.crn.com/news/security/300074973/google-joins-amazon-others-in-gaining-pci-dss-validation.htm

In addition to PCI DSS, Google Cloud Platform is ISO 27001 certified and is validated under HIPAA, SOC2/SOC, and SSAE 16.

Is Firebase part of GCP? Later in the article:

Google Cloud Platform supports a variety of services, from using its compute power to establishing Hadoop clusters for big data projects. The company has cut prices five times since March on several features of its cloud, but said it is committed to expanding its partner ecosystem adding implementation and service partners. The company believes its Docker, an open platform for developers and system administrators, and Firebase, a Backend-as-a-Service (BAAS) for web applications, provide opportunity for the channel.

Seems to imply it is.

Reason I ask is we have potential clients who might be in health care or other industry were validation/certification for how data is stored is a question we get asked. Clearly you do a better job then we do - which is why backend as a service makes so much sense.

Would be good to know what specifically Firebase has been certified validated for.

[Mike Mcdonald]

Hi Marty,

Good questions, I'll do my best to answer them.

First off, Firebase is part of the Google Cloud Platform, and we've been hard at work since the acquisition last October to move infrastructure and processes around in order to get the certifications our customers need.

That said, we haven't completed migration to GCP yet, so we aren't yet fully covered under all of GCP's certifications (available here). Our current datacenter provider is SOC2, ISO 27001, and Safe Harbor certified, but unfortunately we are not yet HIPAA compliant, so we can't recommend storage of PHI on Firebase yet.

Let me know if you have additional questions, and if you have specific use case related questions, feel free to route them to sup...@firebase.com and we can handle them on a private channel.

Thanks,

--Mike

[Marty Nelson]

Thanks Mike!

We don't have any specific use cases, but we're a SaaS visual project management tool so we cut across different industries. Most of the questions we've fielded thus far are over-reaching in the real need for such validations, but customers will be customers in asking them :)

The story as it is today is pretty compelling, especially now that you're under GCP and headed towards filling the validation gaps.

I also just have to say how valuable firebase has been as a service. Obviously technically, but also as our "back-end infrastructure" and all the details that implies - that you just take care of for us. 

Keep up the good work!

[Mike Mcdonald]

Marty,

Definitely understand the customer desire for these certs, and I know that GCP has seen good things come from having them (certainly HIPAA). Unfortunately, they are slow going, so while we'd love to have them, it's a tradeoff to get features developed vs getting them approved.

Thanks for the kind words--our goal is to help developers create extraordinary experiences and you're exactly right that having us take care of the back-end enables developers to focus on what matters most to their users.

If there are other things we can do to help improve the experience moving forward, please let us know :)

Thanks,

--Mike

[Ran Styr]

Hi Mike,

You Wrote above "Our current datacenter provider is SOC2, ISO 27001, and Safe Harbor certified", Where can I find any documentation for it (looking for something to show our customers)?

BTW, any progress with "completed migration to GCP" (HIPAA compliant)?

Thanks,

Ran.

[Mike Mcdonald]

Yes, the Firebase Realtime Database runs on GCP, and we provide Privacy Shield certification. See GCP's security info for more information on how security is done.

Nothing more on HIPAA for the time being--that one's a bit of a different beast.

Thanks,

--Mike